Black Hat Europe Speakers Urge Attendees to Know Attacker Tools and Techniques
A clear theme Wednesday throughout the first day of the Black Hat Europe conference was the importance of approaching the design and defense of networks and systems by thinking like the enemy.
“The most dangerous thing is defenders who never get real information from actual attackers … the real people doing the real attacks,” said Jeff Moss (@thedarktangent), the founder of Black Hat, as he kicked off the conference in London.
In other words, don’t just focus on what works in theory, but focus on how it works – and can be broken – in practice.
Saying “I have to know how to be bad if I want to do good,” might sound like the weak defense of a teenager who’s been caught misbehaving. But throughout the first day of the conference, security experts said that the rules of the cybersecurity game increasingly dictate that no system gets designed and deployed unless there are continuing efforts to refine that design to better defend against anyone who might try to exploit it.
Through the Looking Glass
For many security professionals, however, mastering this mindset may feel like Alice going through the looking glass. “You’re leaving the reality of what you know for a fantasy world you know nothing about,” said Amanda Rousseau (@malwareunicorn), an offensive security engineer at Facebook, in the conference’s opening keynote speech.
Rousseau is a member of Facebook’s red team, the group that hacks the social network’s systems to help engineers make them better. The team, founded in 2011, today works to protect Facebook’s 2.4 billion users.
In military operations terminology, red teams attack and blue teams defend. But in the cybersecurity realm, “the reality is that everyone is on the same side,” Rousseau said. “For those who are actual black hats in the audience, this might not apply to you.”
For everyone else, she recommends avoiding any red/blue dichotomy and instead pursuing a more “blended” mindset.
Challenge: Free Pancakes
Rousseau offered an example of how an adversarial mindset can be brought to bear by posing this problem: “You want to eat some pancakes for free at a chain restaurant. There are no rules.”
She offered three levels of potential scenarios for how an attacker might accomplish this:
- Simple: “Dine and dash,” meaning eat then run away without paying.
- Complex: Use fake currency, or pretend to be an employee to eat for free.
- Extreme: Pull a fire alarm, or threaten employees with violence.
Rousseau said Facebook’s red team will “go through this process and work with engineers and apply this type of thinking to the things they’re building – the features and products.” And although extreme threats might not be likely, she said they must at least be explored in case relevant defenses must be put in place.
All problems that Facebook’s red team identifies get scored based on factors that include “financial impact, reputational impact, policies that are in place, privacy, do we have the technical expertise, is it innovative enough, can we validate protections that are already in place, and will it drive change,” Rousseau said. Problems get prioritized based on their score. “This way we can stay within the bounds of effectively driving change,” she said.
Earlier this year, for example, she said Facebook’s red team – working with a small number of inside admins – wrote a Linux rootkit and used it to mine for cryptocurrency across thousands of servers, then worked with in-house engineering teams to validate and remediate the problems they found.
Nation-State Actors Have Bosses Too
Channeling the adversarial mindset isn’t just a technological exercise; it can help reveal attackers’ likely choices of tools and tactics.
“For a long time, our community has focused on the technologically cool or sophisticated, or the type of implant that takes so much time and effort to write, or these major operations, but the reality is for that these criminals, and especially for nation-states, they have bosses and budgets and requirements, just like the rest of us,” said Priscilla Moriuchi, director of strategic threat development at threat intelligence firm Recorded Future, in an interview with Information Security Media Group.
“People are going to be attacked with the lowest possible denominator, with the toolset and techniques that work, and no more than that,” said Moriuchi, who is a former enduring threat manager for East Asia and Pacific at the U.S. National Security Agency. “If you’re Russian, maybe you don’t mind if they attribute the toolset to you. For others, maybe you do, so you spend more time and money. … But they all have goals, requirements and deadlines.”
Know Hackers’ Tools
The tension between cybersecurity knowledge offering power to defenders vs. attackers continued to arise during the conference, including during a session on how attackers run false-flag operations (see: Winter Olympics Gold Medal for False Flag Goes to … ?).
“Don’t hate on me if an attackers uses one of these techniques; by and large we’re probably not informing anyone who doesn’t already know,” said cybersecurity consultant Jake Williams (@malwarejake), head of Augusta, Georgia-based Rendition InfoSec. “Nation-state adversaries don’t need help with this.”
Defenders must be familiar with the tools attackers may use against them. “UMBRAGE was leaked by WikiLeaks; it’s ostensibly the CIA’s hacking toolset and language around that,” said Williams, a former member of the U.S. National Security Agency’s elite hacking team. “If you don’t have U.S. or Five Eyes clearance, I strongly suggest you take a look at UMBRAGE. … I am not a WikiLeaks supporter, not at all. That said, every nation-state attacker on the planet has read those documents. If you have not and you are defending, you are at a decided disadvantage.”
As the complexity of the cybersecurity realm continues to increase, defenders must strive to know how their enemies will be coming at them, said Moss, the Black Hat founder. “Everyone has a plan until they get punched in the mouth,” he said, quoting boxer Mike Tyson.